Do you have a question? Post it now! No Registration Necessary. Now with pictures!
May 25, 2005, 9:29 am
rate this thread
I am trying to write a class in php that removes possible injections in user
given html, (from a <textarea>).
I realize that I could prevent any HTML code '<' and '>' but that would,
(IMHO), be a bit of an overkill.
I don't want to limit html for the sake of a handful of bad elements.
but before I do that I need to work out what is potentially malicious and
what is not.
My first assertion is that the html tags, (<a>, <table> etc...), in
themselves are not a potential danger, (Apart of course for <script>). By
that I mean there is no tag that can make my server behave in a certain way,
only the elements in the tag can be hurtful.
My second assertion is that the element 'style="...", in any tag, cannot
contain any malicious code, (that is for example contain any donkey(...)
etc), so I would be right in allowing any style="...", id="..." and
Are my above assertions right?
And where would I be able to find a more detailed article on the possible
dangers of HTML tags and elements?
I do realize that php can have it's own problems, but I would like to limit
myself to 'normal' html.
Many thanks in advance.
Re: Injecting code in HTML
If you're working with a database, beware of SQL Injection, ie:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html has some good
Please respond to the group so others can share